W3C home > Mailing lists > Public > public-aria-admin@w3.org > March 2016

Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Thu, 31 Mar 2016 11:20:58 -0500
Cc: Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, John Foliot <john.foliot@deque.com>, Léonie Watson <tink@tink.uk>, ARIA Working Group <public-aria-admin@w3.org>
Message-Id: <48382014-30B4-4091-B2DB-2B1D1075D80B@gmail.com>
To: Joseph Scheuhammer <clown@alum.mit.edu>
I spoke with Brett Lewis at Freedom Scientific and he agreed with the solution that if a password role were applied that rather that echoing they keys typed or speaking stars for each character typed that they need to echo the character *rendered*. He also had no issues with making this an author MUST for ATs because of the security issues. Users will also need to be made aware that if they run across a password field and the characters spoken, while typing, match their password that there are exposed to a security risk. 

So, the net, net of this is that if we can get the ATVs to agree to this then this would solve all the issues related to a role=“password”. 


Rich

Rich Schwerdtfeger




> On Mar 29, 2016, at 4:01 PM, Joseph Scheuhammer <clown@alum.mit.edu> wrote:
> 
> On 2016-03-29 1:10 PM, Cynthia Shelly wrote:
>> The password role does not prevent accessing the content of the
>> password field from script.
> 
> Somewhat tangential, but the same is true for an html5 password
> <input>.  Its @value attribute contains the password in plain text.
> 
> -- 
> ;;;;joseph.
> 
> 'Die Wahrheit ist Irgendwo da Draußen. Wieder.'
>                 - C. Carter -
> 


Received on Thursday, 31 March 2016 16:21:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC